Due to IE10 published, I’ll conclude the methods that how to add trust sites in to IE of the version before IE10.
General, there are three methods to set trust sites to client machine by GPO from DC configured on windows 2003 or windows 2008.
If the client machine is newer than windows 7 (including windows 7) or preferences installed in windows XP, there is the fourth method named “Group Policy Preferences”.
Then I’ll introduce and compare these methods below:
Name: “Import the current security zones and privacy settings” in IE Maintenance
1) 1) Open GPO for IE settings in DC of windows 2003 or 2008.
2) 2) Navigate to: “User Configuration\Policies\Windows Settings\ Internet Explorer Maintenance\Security”
3) 3) Double-click Security Zones, click Continue if prompted. Click “Import the current security zones and privacy settings”, click Modify Settings.
4) 4) Change settings and click OK. Run “gpupdate /force” on client machine and test the result.
Advantages: simple and adapted by major of DC administrator.
1) 1) If DC enable “IE ESC” in its feature configuration, the client machine also must enable its ESC feature so that it could get the GPO successfully, otherwise the client will fail to apply that setting. But unfortunately, excepting windows 2003 or 2008 as client, other OS such as XP, windows 7 all do not have this feature. So if you want to set trust sites by “Import the current security zones and privacy settings”,
Generally, there are two choose:
A. Disable ESC in DC and confirm all windows 2003&2008 clients disable their ESC.
B. Enable ESC on DC and keep your all client machines as windows 2003&2008 with ESC enabled.
2) 2) The second disadvantage: if using “Import the current security zones and privacy settings” to just set “TrustedSites”, other content in other security zones or “Custom level…” will be applied in same time even you did not to configure them.
Name: “Site to the zone assignment list” in Administrative Templates.
1) 1) This method will only apply what you expected security zone to clients without the content of other security zones or parts such as “Custom level…”
2) 2) It make DC administrator easy to control the trusted sites if their company restraint the end-user strictly on access internet because the end-user in this domain could not edit “TrustedSites” and other similar security zones after their domain using this GPO.
Disadvantages: When we configure “Site to Zone assignment list GPO” then end-users will NOT be able to add their own sites to any zone. Options to add sites on client machine will be greyed out after IE7 version. In IE6, it appears not grey and seems end-user still can add other web sites. In fact, they will find their update disappear just now after they re-enter the “Internet Properties” page.
Name: “Logon Scripts”
1) 1) Choose a client machine with IE settings and open IE.
2) 2) Add all web sites you need set to “Trusted sites” security zone.
3) Run “regedit” in CMD window, entering path “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains”
4) 4) Export “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” and “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges” if you set IP trusted sites.
5) 5) Combine them to “trustedsites.reg” files.
6) 6) Created a file named “regadd.cmd” under “SysVol” path of GPO in DC, add below content to “regadd.cmd”: reg import trustedsites.reg
Note: “SysVol” path of GPO in DC is \\DomainName\SysVol\DomainName\Policies\<GUID
You also can find it by enter into “User Configuration | Policies | Windows Settings | Scripts | Logon | Add | Browse… ” as following picture shows:
Advantages: this is a flexible method without the disadvantages of other two methods above.
Disadvantages: Customer has to re-logon by apply the logon script and there exists risks when client machine fails to run the scripts.
Name: “Group Policy Preferences”
1) 1) Enter “User Configuration | Preferences | Windows Settings | Registry” in DC and add registry key as below picture:
2) Run “gpupdate /force” in client machine and will get the result as following page:
Advantages: this is a more flexible method that DC administrator can consider and end-user still update their trusted sites list as they want.
Disadvantages: there are several main disadvantages:
1) 1) This is a new feature started by Window 2008. In other words, if your DC is windows 2003, it does include this feature: http://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx
2) 2) Windows 2003, windows Vista and windows XP clients need install “Group Policy Preferences client Side Extensions” if they want to apply these settings from “Group Policy Preferences” of windows 2008 DC: http://www.microsoft.com/en-us/download/search.aspx?q=KB943729
3) 3) Preference settings will: tattoo.
a. In other words, when a GPO goes out of scope, the preference value will remain in the registry. An administrator is responsible for making sure these values are set to disable, prior to the GPO going out of scope, if the administrator wants the preference setting removed. The preference setting will not be replaced with the original application configuration value.
b. Even remove the setting of this registry key in GPO, the value in client machine will not be removed, otherwise you still set it as another value from “Group Policy Preferences” or “delete” the one you want to remove from “Group Policy Preferences”.
XiaoMan Wang from APGC DSI Team